Description
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).
Published: 2026-03-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WooCommerce Custom Product Addons Pro plugin allows attackers to run arbitrary PHP code on the server without authentication. The vulnerability is triggered by the use of the eval() function on user‑submitted custom pricing formulas. Because the input is only stripped of HTML tags and not escaped, an attacker can inject PHP code via a custom pricing field (pricingType: "custom") and cause the server to execute that code. This gives the attacker full control over the affected WordPress site, including data theft, defacement, or further compromise.

Affected Systems

Vendors from acowebs offer the WooCommerce Custom Product Addons Pro plugin for WordPress. All releases up to and including version 5.4.1 are affected. Sites running WordPress with any of these plugin versions should be considered vulnerable until the issue is addressed or the plugin is updated to a patched release.

Risk and Exploitability

The CVSS base score is 9.8, indicating a critical severity. EPSS data is not available, but the high CVSS score alone signals a very high likelihood of exploitation. The vulnerability is not listed in KEV, but its nature—unauthenticated remote code execution—makes it a prime target for automated attacks. Based on the description, the likely attack vector is the public website’s product configuration interface; no authentication is required to submit malicious pricing formulas.

Generated by OpenCVE AI on March 24, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce Custom Product Addons Pro plugin to the latest version (5.4.2 or newer) which removes the eval() call from custom pricing.
  • If an immediate update is not possible, disable the custom pricing feature on all addon products or set pricingType to "none" to prevent evaluation of user input.
  • Limit WordPress administrator access to trusted personnel only and enforce strong authentication controls.
  • Verify that any remaining custom pricing formulas are strictly numeric and free of quotes or PHP syntax before evaluating them.
  • Monitor server logs for unexpected eval usage or malformed pricing inputs and react promptly to any suspicious activity.

Generated by OpenCVE AI on March 24, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Acowebs
Acowebs woocommerce Custom Product Addons Pro
Wordpress
Wordpress wordpress
Vendors & Products Acowebs
Acowebs woocommerce Custom Product Addons Pro
Wordpress
Wordpress wordpress

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).
Title Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Acowebs Woocommerce Custom Product Addons Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:23.860Z

Reserved: 2026-03-11T18:29:35.330Z

Link: CVE-2026-4001

cve-icon Vulnrichment

Updated: 2026-03-24T13:38:04.818Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T00:16:31.040

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:04Z

Weaknesses